Docs
Launch GraphOS Studio

AWS Lattice troubleshooting guide

Troubleshoot common issues and errors with AWS Lattice


Cloud is currently in invite-only preview. Don't hesitate to get in touch if you'd like to request access or have any questions or feedback.

To learn how to configure AWS VPC Lattice to send traffic to your , refer to the configuration docs.

Enable subgraph error inclusion

To help resolve AWS VPC Lattice connection issues, we recommend enabling error inclusions for your graph during troubleshooting. This configuration lets you see error messages generated by your subgraphs. Follow these steps to do set the configuration:

  1. Go to GraphOS Studio.

  2. Open the Cloud Router page from the left navigation.

  3. Open the Configuration tab:

{' '}

The Cloud Router page in GraphOS Studio
  1. In Router configuration YAML, ensure that the following configuration block that sets include_subgraph_errors is present:
include_subgraph_errors:
all: true
  1. Click the Save button in the top right corner of that section.
GraphOS Studio Router configuration YAML

Configuration changes trigger a new . Please wait a few minutes for your to update with this new configuration. You can monitor the deployment status in the Launches page for your .

Once you've identified and resolved the underlying issue, we recommend you turn off errors by removing the block that sets include_subgraph_errors and saving the configuration YAML again.

Common issues and errors

If you encounter an error or not listed below and need assistance, don't hesitate to get in touch. We're here to help.

Overriding host headers

AWS Lattice relies on the host header to properly secure and route requests. You can't change this header on Cloud . Instead, consider using a header like x-host. You can rewrite an incoming host header as x-host through your router configuration YAML:

router.yaml
# ...other configuration...
headers:
all: # Header rules for all subgraphs
request:
- propagate:
named: 'host'
rename: 'x-host'

Service in resource share doesn't appear in private subgraphs

Cloud does not automatically scan your resource shares for new Lattice services. If you add a service, you can manually trigger a scan by going to your Apollo Organization settings page and clicking the Rescan subgraphs button.

Providing Authorization headers

Because AWS Sigv4 relies on the HTTP Authorization request header for signing requests, you may receive an error like this: You must be authenticated to access this resource. Please provide a valid Bearer Token in the Authorization header.

If your rely on the Authorization header for authentication, your needs to rename it. For example:

router.yaml
# ...other configuration...
headers:
all: # Header rules for all subgraphs
request:
- propagate:
named: 'Authorization'
rename: 'X-Authorization'

Then, ensure you update your to check for either Authorization or your new header name.

Error trying to connect: Connection reset by peer (os error 104)

This error is likely to occur when your tries to send traffic to a port different from the listener on your AWS VPC Lattice service. only supports communicating with over HTTPS on port 443.

You can validate that your Lattice services are configured to receive traffic on the right port by navigating to the service routing page:

  1. In the AWS Console for your region of choice, go to the VPC service page.

  2. In the menu on the left, scroll down and open Services in the VPC Lattice section.

AWS VPC service page left menu
  1. Click the name of the Lattice service leveraged by the in question.
AWS VPC Lattice service
  1. Click the Routing tab.
AWS VPC Lattice routing
  1. Validate that you have a listener with a protocol:port configuration of HTTPS:443.

If this is not the case, you must create a new listener by clicking on the Add listener button at the top left of this section.

HTTP fetch failed from 'subgraph': 403: Forbidden

This error likely occurs for one of the following reasons:

  • One of your clients is sending a request to a over WebSockets.
  • The VPC Lattice IAM policy does not allow traffic from .

Subscriptions over WebSockets

over WebSockets are not supported in AWS VPC Lattice, as the platform lacks WebSocket support at this time. When sending a request to upgrade to a WebSockets connection, Lattice will return a blank response with a 403 response code. In this situation, Lattice will also not emit access log entries to Amazon CloudWatch Logs. We recommend you contact your AWS account team to notify them of your interest in this feature.

VPC Lattice IAM policy

You can validate that your Lattice services are configured to allow traffic from by navigating to the service access page:

  1. In the AWS Console for your region of choice, go to the VPC service page.

  2. In the menu on the left, scroll down and open Services in the VPC Lattice section.

AWS VPC service page left menu
  1. Click the name of the Lattice service leveraged by the in question.
AWS VPC Lattice service
  1. Click the Access tab.

  2. Ensure that the Auth type is set to IAM and that the policy looks like this:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "vpc-lattice-svcs:Invoke",
"Resource": "*",
"Condition": {
"ForAnyValue:StringLike": {
"aws:PrincipalOrgPaths": "o-9vaxczew6u/*/ou-leyb-l9pccq2t/ou-leyb-fvqz35yo/*"
}
}
}
]
}
Previous
AWS Lattice configuration
Next
Migration
Edit on GitHubEditForumsDiscord

© 2024 Apollo Graph Inc.

Privacy Policy

Company